Change Your Linkedin Passwords

[Slim]

My password was leaked, and cracked. What does this mean for me? I've changed it now on Linkedin but am I going to have to empty my bank accounts and change my name and so on?

 

Keep an eye out for any scam emails, there's usually a flurry of them after a big breach like this and they may know a bit more about you to make them look genuine.

[Cliff Hazard]

My password was leaked, and cracked. What does this mean for me? I've changed it now on Linkedin but am I going to have to empty my bank accounts and change my name and so on?

 

Keep an eye out for any scam emails, there's usually a flurry of them after a big breach like this and they may know a bit more about you to make them look genuine.

 

ok thanks. I have to admit I do use a handful of passwords all based around the same thing. I'll get onto it and change them, tighten them up.

[loaf]

Personally, I'm just flabbergasted that, after a security breach, anyone would advocate to the general public that going to some third party site and "testing your password" is a good idea. I don't care if these particular sites are benign, it's the most stupid piece of advice to give to non-security savvy people I have ever heard of. Breathtakingly stupid.

[Slim]

Cliff: something like keepass is ace for keeping lots of unique passwords.

 

Personally, I'm just flabbergasted that, after a security breach, anyone would advocate to the general public that going to some third party site and "testing your password" is a good idea. I don't care if these particular sites are benign, it's the most stupid piece of advice to give to non-security savvy people I have ever heard of. Breathtakingly stupid.

 

Nobody is saying that are they? That would be stupid. The test is to see if your old password is in those that are breached. Every linked in user should change their password anyway if there's is in the list or not. The check is also useful to see if your password is a duplicate and if the hash has been cracked, gives an indication on how strong it was.

 

That said, the code for the site is javascript, so you can verify what it's doing, and it's hashing the input and sending on the hash, so it is low risk in terms of collecting passwords.

[HeliX]

Personally, I'm just flabbergasted that, after a security breach, anyone would advocate to the general public that going to some third party site and "testing your password" is a good idea. I don't care if these particular sites are benign, it's the most stupid piece of advice to give to non-security savvy people I have ever heard of. Breathtakingly stupid.

 

Except that the site is absolutely fine, and it's not to test a password, it's to tell you if your password was in the list of leaked ones. A password which you've already changed, for that matter, because it's been leaked to the public.

[loaf]

You're kidding, right?

 

I mean, you do know that there are some poor people out there using the Internet that can't parse javascript in their head, right? Or even deep-examine js include files on webservers, or grasp the concept of comparing hash tables as opposed to using unencrypted passwords.

 

For these poor, impoverished people, one site that says 'test your password' with a load of crap explaining why it's "perfectly safe" is going to look very much like another site that says 'test your password with a load of crap explaining why it's "perfectly safe", and so in my view, encouraging ordinary, poor, non-javascript-savvy, non-cryptology-savvy people to go around putting passwords that they may be lax enough to be using elsewhere using third party sites is just dumb as hell.

[macmannin]

After reading the four pages I am none the wiser.

[HeliX]

You're kidding, right?

 

I mean, you do know that there are some poor people out there using the Internet that can't parse javascript in their head, right? Or even deep-examine js include files on webservers, or grasp the concept of comparing hash tables as opposed to using unencrypted passwords.

 

For these poor, impoverished people, one site that says 'test your password' with a load of crap explaining why it's "perfectly safe" is going to look very much like another site that says 'test your password with a load of crap explaining why it's "perfectly safe", and so in my view, encouraging ordinary, poor, non-javascript-savvy, non-cryptology-savvy people to go around putting passwords that they may be lax enough to be using elsewhere using third party sites is just dumb as hell.

 

 

Except I gave a disclaimer for this one, stating that it's purely for curiosity, and only to use a password you've already changed on it. There was plenty of warning on the original post of the link. Also "impoverished"? Really? Wealth has no impact on knowledge.

 

I'm not sure why you're using plurals all the way through when people were only suggesting using this ONE site for ONE purpose.

When a doctor suggests a certain test, they don't expect people to go up and take a load of other tests for stupid purposes, do they? Same applies.

 

By your logic you should also never show someone how to install a program lest they follow it up by installing every malicious program on the internet.

[Slim]

You're kidding, right?

 

I mean, you do know that there are some poor people out there using the Internet that can't parse javascript in their head, right? Or even deep-examine js include files on webservers, or grasp the concept of comparing hash tables as opposed to using unencrypted passwords.

 

For these poor, impoverished people, one site that says 'test your password' with a load of crap explaining why it's "perfectly safe" is going to look very much like another site that says 'test your password with a load of crap explaining why it's "perfectly safe", and so in my view, encouraging ordinary, poor, non-javascript-savvy, non-cryptology-savvy people to go around putting passwords that they may be lax enough to be using elsewhere using third party sites is just dumb as hell.

 

Those same people are trusting Linked in with the same password as their online shopping sites.

[loaf]

Except I gave a disclaimer for this one, stating that it's purely for curiosity, and only to use a password you've already changed on it. There was plenty of warning on the original post of the link. Also "impoverished"? Really? Wealth has no impact on knowledge.

 

I'm not sure why you're using plurals all the way through when people were only suggesting using this ONE site for ONE purpose.

When a doctor suggests a certain test, they don't expect people to go up and take a load of other tests for stupid purposes, do they? Same applies.

Perhaps I didn't make something clear. I wasn't aiming at your personal bit of advice in isolation. I've seen at least two different 'checking' websites being recommended by twitter commentators and tech sites like Ars Technica, etc and it's that overall public push for people to try this out that is what I find so ill-advised and contrary to a common sense practice of leaving third parties well alone with password data. This isn't a personal attack on your postings on this thread - sorry if it seemed to be that way.

[HeliX]

Fair enough, context seemed like you were blaming me!

 

I'd agree in general to an extent, but I also firmly believe that educating people is never a bad thing. The more knowledge everyone has the better!

[Slim]

Perhaps I didn't make something clear. I wasn't aiming at your personal bit of advice in isolation. I've seen at least two different 'checking' websites being recommended by twitter commentators and tech sites like Ars Technica, etc and it's that overall public push for people to try this out that is what I find so ill-advised and contrary to a common sense practice of leaving third parties well alone with password data. This isn't a personal attack on your postings on this thread - sorry if it seemed to be that way.

 

Have you seen this handy checker for the recent mysql authentication bi-pass?

 

http://mysqlcheck.com/

[loaf]

Have you seen this handy checker for the recent mysql authentication bi-pass?

That's a must-have to anyone who is security conscious.

[eric76]

The strongest passwords are those chosen at random and of a reasonable length - say 15 numbers/chars/symbols. The difficulty then is remembering them!

 

Not necessarily.

 

My strongest passwords are nonsense sentences that are relatively easy to remember. For example: "My dog and cat are both fond of my blue whale but neither likes my pet grandfather clock." No need for any kind of special characters or strange punctuation at all and it is quite easy to remember.

 

Another approach would be to use five or six words chosen at random from a dictionary of 100,000 words. That would give you about the same level of security as fifteen randomly selected letters (both lower and upper cases), numbers, and punctuation, but be far easier to remember.

 

For my normal passwords, I don't go quite that far. Instead, I use five words chosen to make a very easy to remember phrase that is rather nonsensical. For example, "filthy chocolate penguin concubine houses". It may not be as secure as if they were chosen completely at random, but the number of attempts it would take to brute force the phrase would take a very long time to hack.

[HeliX]

The sooner people swallow their pride and use a password manager, the more secure the net will be

 

It took me a while to admit that remembering 15 different passwords wasn't wise, but now everything is so much easier and all of my passwords are ridiculously secure.